Freelancer’s Question: Does my freelancer email marketing breach the GDPR?

Freelancer’s Question: Is a company I no longer wish to hear from breaching the UK’s GDPR rules if I’ve asked to be unsubscribed from their email communications but they still email me? I’d like to  know what action under the GDPR I could bring against the company, as they email me too often with much of their content being clickbait.

And more crucially to me, are there GDPR implications for myself – also a freelance consultancy owner – if people try to unsubscribe from my own email marketing communications but the ‘unsubscribe’ link doesn’t work, or is to a ‘dead’ page? Surely people can just find another way on my website to unsubscribe. 

Lastly, I’ve heard that some of my generic marketing emails don’t always display in a readable format, meaning parties that wisht to unsubscribe simply can’t because the contents of the email are unclickable, character jumbles. Would that have GDPR implications too?

Expert’s Answer: Data protection legislation has many implications for marketing practices, including email marketing and newsletter mailings.

In the UK, the Privacy and Electronic Communications Regulations (PECR) sit alongside the UK General Data Protection Regulation (GDPR).

Rights, mechanisms and consent

Both of these give people specific rights in relation to electronic communications. Thus, a sending company, under the GDPR and the PECR, must ensure certain mechanisms are set up when engaging in direct marketing.

Firstly, as a general reminder, before engaging in direct marketing towards consumers, it is mandatory for a company to obtain their affirmative consent, which must be ‘freely given, specific, informed, and unambiguous’ (unless the company has a legitimate interest to do so, e.g. performing a contract with the consumer).

Please note, this obligation does not apply to B2B direct marketing messages to corporate email addresses.

Is it ‘easy’ both ways?

More importantly, the sending company must give users the ability to opt-out of marketing emails. This means that the company is required to make it as easy for users to withdraw their consent as it is to give it, with a process that is both clear and simple.

This can be done by including a visible and valid unsubscribe link in your emails and making it possible for users to manage their preferences in their account’s settings. It is also recommended to allow users to contact a return email address for any issue.

Therefore, if users who have unsubscribed from a newsletter continue to receive emails, the company is not complying with the GDPR obligations.

When the GDPR is being flouted (cont.)

Similarly, when it is not possible for users to opt-out of marketing emails, for instance because the unsubscribe link does not work or is unreadable, this constitutes a breach of the GDPR for which you, the sender, may be liable.

As to your initial question, if you think your data protection rights have been breached, the first thing to do is to reach out to the company to solve the issue. Once you have exhausted the internal complaints procedure of the sending company, if you are still not satisfied with the outcome and wish to lodge an official complaint, you can always contact your national Data Protection Authority (DPA). Your DPA will send you back to the sending company’s internal procedures if you cannot demonstrate that you have done so already.

Involving a watchdog, and the teeth they bite with

In the UK, the DPA is the Information Commissioner’s Office (ICO). You can make a complaint to the ICO here. If you are located outside of the UK, you can find your DPA here.

Be aware, national authorities could possibly impose an administrative fine in addition to or instead of further remedies or corrective powers (depending on the gravity of the violation). The fine framework can be up to 10 million euros or 2% of the company’s total global turnover of the preceding year, whichever is higher; or, for especially severe violations, up to 20 million euros or 4% of their total global turnover. While it is rare for e-marketing fines to reach such levels, the ICO is very active in this area, as demonstrated by the Virgin Media case-ruling of December 2021.

Final thought

Of course, the above only constitutes general guidelines. If you need legal advice specific to your case, do not hesitate to speak to a specialised lawyer! Good luck.

The expert was Evane Alexandre, legal intern at Gerrish Legal, a London and Paris digital law firm specialising in the GDPR and UK freelancers.